International Journal of Computer Trends and Technology (IJCTT) - volume4 Issue5May 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1481

Client Puzzle Approach for Improving Confidentiality

Ms. Sapna S. Khapre Prof. Shrikant Ardhapurkar


IV SEM, M.TECH-CSE Department, CSE Department,
Smt. Bhagwati Chaturvedi College of Engg., Smt. Bhagwati Chaturvedi College of
Engg.,
Nagpur University Nagpur University
Abstract

In present scenario, security of data or information
is main concerned. Different defense strategies are
developed to avoid DoS-Denial of Service attack,
but they dont provide optimal solution against
DoS attack. Preventive mechanisms against
flooding attacks can be effectively studied through
game theory. This is mainly owing to the several
trade-offs existing in a flooding attack defense
scenario. For an attacker, there is a trade-off
between the severity of his attack and the amount of
resources he uses to do so; the more damage an
attacker intends to cause, the more amounts of
resources he should spend. For a defender, on the
other hand, there is a trade-off between the
effectiveness of his defense and the quality of
service he provides for legitimate users; the more
difficult it becomes to exhaust the defenders
resources, the more workload, and hence, less
quality of service is imposed on legitimate users.
To improve the quality of service for legitimate
user and also to improve confidentiality, puzzle
based defense technique is used. With the help of
puzzle based system we can avoid DoS attack.

1. Introduction
Denial of Service (DoS) vulnerabilities are one
of the major concerns in today's internet. The
Denial of Service attack makes a network service
unavailable to its legitimate users. A denial of
service attack may either be a brute force attack,
where the attacker generates spurious network to
exhaust server resources or a semantic attack,
where the attacker exploits the vulnerabilities of the
protocol used. Client-puzzles offer a mechanism
for a server to counterbalance computational
expenditure when subjected to a denial of service
attack. On receiving a request, the server generates
a puzzle of appropriate difficulty and sends it to the
client. When a response is received, the server
varies the solution and provides the requested
service only if the solution is correct. Availability
of services in a networked system is a security
concern that has received enormous attention in
recent years. Most researches in this area are on
designing and verifying defense mechanisms
against denial-of-service (DoS) attacks. A DoS
attack is characterized by a malicious behavior,
which prevents the legitimate users of a network
service from using that service. There are two
principal classes of these attacks: flooding attacks
and logic attacks. A flooding attack such as SYN
flood, Smurf, or TFN2K sends an overwhelming
number of requests for a service offered by the
victim. These requests deplete some key resources
at the victim so that the legitimate users requests
for the same are denied. A resource may be the
capacity of a buffer, CPU time to process requests,
the available bandwidth of a communication
channel, etc. The resources exhausted by a flooding
attack revive when the attack flood stops. A logic
attack such as Ping-of-Death or Teardrop forges a
fatal message accepted and processed by the
victims vulnerable software and leads to resource
exhaustion at the victim. Unlike flooding attacks,
the effects of a logic attack remain after the attack
until some appropriate remedial actions are
adopted. A logic attack can be thwarted by
examining the contents of messages received and
discarding the unhealthy ones. This is due to the
fact that an attack message differs from a legitimate
one in contents. In flooding attacks, on the
contrary, such a distinction is not possible. This
causes defense against flooding attacks to be an
arduous task. A large number of defenses have
been devised against flooding attacks. A defense
mechanism may be a reactive or preventive one. A
reactive mechanism such as pushback, trace back,
or filtering, endeavors to alleviate the impact of a
flooding attack on the victim by detecting the
attack and responding to it. A preventive
mechanism, on the other hand, enables the victim
to tolerate the attack without denying the service to
legitimate users. This is usually done by enforcing
restrictive policies for resource consumption. A
method for limiting resource consumption is the
use of client puzzles.

2. Weaknesses in existing definitions
A DoS countermeasure based on client puzzles
should require appropriate work to be done for each
client request: it should not be possible to solve
many puzzles easily. While the existing models
describe the difficulty of DoS countermeasures
when faced with an adversary trying to solve one
puzzle, these models do not adequately defend
International Journal of Computer Trends and Technology (IJCTT) - volume4 Issue5May 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page 1482

against powerful adversaries who can expend more
than the effort required to solve a single puzzle. In
this section, we consider some puzzles where a
single instance cannot be solved easily by an
attacker, satisfying existing difficulty definitions,
but where an attacker can solve n puzzles more
efficiently than just n times the cost of solving a
single puzzle.

2.1. MicroMint-Based Puzzle
The MicroMint micropayment scheme is
effectively a client-puzzle-based micropayment
scheme. A coin is a collision in a hash function: it
is a pair of values x1, x2 such that H(x1) =H(x2)
for a given hash function H. It is easy to verify the
validity of a coin. Generating coins is harder. If H
is a regular (or random) function with -bit outputs,
then to find a collision one must rely on the
birthday paradox" : hash approximately 2/2
distinct values and search for a collision. This
puzzle can be shown to satisfy the puzzle difficulty
definition of the Chen et al. model. However, many
collisions can be found without too much more
work: n collisions can be found with n 2/2
hash function calls, much less than n times the 2/2
cost of solving a single puzzle. We emphasize this
is not an attack on the MicroMint scheme itself:
MicroMint was in fact designed so that the
amortized cost of generating multiple coins is
smaller. While potentially a desirable 4 property in
a micropayment scheme, this property is not
desirable for client puzzles.

2.2. Generic Puzzle Construction of Chen
et al.
Chen et al. proposed a generic client puzzle
construction based on a pseudorandom function F
and a one-way function . The challenger selects a
secret s K with |K| =2k and public parameters,
denoted by , to generate a puzzle. The challenger
computes x F(s, ), where x X and |X | |K|,
and then sets y (x). The solver, given the
challenge (y, ), has to find a pre-image z such that
(z) =y. This generic construction satisfies the
puzzle unforgeability and puzzle difficulty security
properties provided certain bounds are met:
namely, |X | |K| and |1(y)| 1 and |X| =2k , for
all y. Suppose we have that |1(y)| 1 and |X | =
2k. Then the bounds in the generic construction are
satisfied and solving a single puzzle instance
requires approximately 2k searches in X. But to
solve n puzzles, the solver can find the value s with
at most 2k searches and then obtain a solution with
one application of F for each puzzle. That is,
solving n puzzles would require 2k +n operations
rather than the desired n 2k computations.

2.3. Number-Theoretic Puzzles
Many client puzzles based on number-theoretic
constructions have been presented, which uses
modular exponentiation and argues for security in
the Chen et al. model based on the intractability of
the RSA problem. Given a puzzle consisting of an
RSA modulus N, a challenge x, and a large integer
R >>N, the solver must compute xR mod N. The
security argument rests on the assumption that the
best known algorithm for this computation requires
O(log(R)) modular operations, assuming that
factoring N requires more than O(log(R))
operations. But in fact a much smaller N would
still suffice and would reduce the computational
costs for the verifier, which is important when
puzzles are used at extremely low levels in the
network stack, such as TCP. Even with a smaller N,
say 500 bits, the cost of solving a puzzle by
computing xR mod N is still cheaper than
factoring. However, if the adversary wants to solve
230 puzzles, the best technique is not to solve all
these puzzles independently but to first factor N
and then use this trapdoor to easily generate
solutions.

3. Client puzzle approach
Currently intruders are beginning to more often
use legitimate, or expected, protocols and services
as the vehicle for packet streams. The resulting
attacks are hard to defend against using standard
techniques, as the malicious requests differ from
the legitimate ones in intent but not in content.
Filtering or rate limiting based on anomalous
packets are not feasible at all. In fact, filtering or
rate limiting an attack that is using a legitimate and
expected type of traffic may in fact complete the
intruders task by causing legitimate services to be
denied. The client puzzle approach provide solution
to this problem. The client puzzle approach means
that before engaging in any resource consuming
operations, the server first generates a puzzle and
sends its description to the client that is requesting
service from the server. The client has to solve the
puzzle and send the result back to the server. The
server continues with processing the request of the
client, only if the clients response to the puzzle is
correct.
In client puzzle approach there are three
components:
3.1. Sender
3.2. Server
3.3. Receiver






Sender Server Receiver
International Journal of Computer Trends and Technology (IJCTT) - volume4 Issue5May 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page 1483


Figure 1. Client puzzle approach

3.1. Sender

Sender sends file to the intended user. In the user
interface of sender, user has to first login, if user
login is correct then hint to user is given to solve
the puzzle. After solving puzzle correctly the user
is allowed to send the file by using browse button
to browse the file which sender wants to send to the
user. The status of sending file is shown in status
information text box of sender, then sender sends
the file. The attack button is used to show DoS
attack, if we press this button the selected file take
more time for transmission compare to time taken
for file transmission in normal environment.

3.2. Receiver

Receiver receives the required file from sender.
The user interface of receiver shows the contents of
receiving file and also display the message box
which shows the time taken to transfer the file. It
also shows the results of receiving file i.e. total size
of packet, transmission rate, data loss size etc.

3.3. Server

Server gives the status of file transmission. In the
user interface of server gives details of each packet
present in file and number of packets in file. It also
gives the status information about the delivery of
the file to the receiver.

For transferring file from sender to receiver
following steps take place:
Step 1: Sender enters login-id and password.
Step 2: Server generates puzzle & sends to sender.
Step 3: Sender solve the puzzle & sends back to the
server.
Step 4: Server verifies the puzzle is correct or not.
Step 5: If puzzle is solved correctly and login-id
and password is correct then sender can sends file
to intended receiver. If puzzle is not solved
correctly then service is not provided to the sender.

4. Database
Using Microsoft Access, you can manage all
your information from a single database file.
Within the file, divide your data into separate
storage containers called tables; view, add, and
update table data by using online forms; find and
retrieve just the data you want by using queries;
and analyze or print data in a specific layout by
using reports. Allow users to view, update, or
analyze the database's data from the Internet or an
intranet by creating data access pages. To store
your data, create one table for each type of
information that you track. To bring the data from
multiple tables together in a query, form, report, or
data access page, define relationships between the
tables. A common field relates two tables so that
Microsoft Access can bring together the data from
the two tables for viewing, editing, or printing. In
table Design view, you can create an entire table
from scratch, or add, delete, or customize the fields
in an existing table.
In table Datasheet view, you can add, edit, view,
or otherwise work with the data in a table. You can
also display records from tables that are related to
the current table by displaying subdatasheets within
the main datasheet. With some restrictions, you can
work with the data in subdatasheets in many of the
same ways that you work with data in the main
datasheet.
5. Conclusion
Game theory is used to propose a number of
puzzle-based defenses against flooding attacks. Till
now the DOS attack environment is implemented.
It shows the interactions between an attacker, who
launches a flooding attack and a defender who will
counters the attack using a puzzle-based defense
can be modeled as an infinitely repeated game of
discounted payoffs. Database implementation and
connectivity of database is also done.

References
[1] Raju Neyyan, Ancy Paul, Mayank Deshwal and
Amit Deshmukh, Game Theory based Defense
Mechanismagainst Flooding Attack using Puzzle,
Emerging Trends in Computer Science and
Information Technology, pg 5-10, no. 1, April 2012.
[2] Kumar Dayanand and S. Magesh, Defence Strategy
against Flooding Attacks Using Nash Equilibrium
Game Theory, International Conference on
Computing and Control Engineering (ICCCE 2012),
April 2012.
[3] Tanmay Sanjay Khirwadkar, Defense Against
Network Attacks Using Game Theory, University
Of Illinois At Urbana-Champaign, May 2011.
[4] Mehran S. Fallah, A Puzzle-Based Defence
Strategy Against Flooding Attacks Using Game
Theory, IEEE transactions on dependable and
secure computing, vol. 7, no. 1, pg 5-19, 2010.
[5] D. Moore, C. Shannon, D.J. Brown, G.M. Voelker,
and S. Savage,Inferring Internet Denial-of-Service
Activity, ACM Trans.Computer Systems, vol. 24,
no. 2, pp. 115-139, May 2006.
[6] J elena Mirkovic, J anice Martin and Peter Reiher,
A Taxonomy of DDoS Attacks and DDoS Defense
Mechanisms, ACM SIGCOMM Computer
Communication, Vol. 34, no. 2, pp. 39 53, April
2004.
[7] E. Bursztein and J. Goubalt-Larrecq, A logical
framework for evaluating network resilience against
faults and attacks, Lecture Notes in Computer
Science, Vol. 4846, 2007.
[8] T. Aura, P. Nikander, and J. Leiwo. DoS-Resistant
Authentication with Client Puzzles, Lecture Notes
in Computer Science, vol. 2133, 2001.
International Journal of Computer Trends and Technology (IJCTT) - volume4 Issue5May 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page 1484

[9] Liqun Chen, Paul Morrissey, Nigel P. Smart, and
Bogdan Warinschi, Security notions and generic
constructions for client puzzles, In Mitsuru Matsui,
editor, Advances in Cryptology,Proc. ASIACRYPT
2009, LNCS, volume 5912, pp. 505, 2009.
[10] Markus J akobsson and Ari J uels, Proofs of work
and bread pudding protocols, In Bart Preneel,
editor, Proceedings of the IFIP TC6/TC11 J oint
Working Conference on Secure Information
Networks: Communications and Multimedia
Security, IFIP Conference Proceedings, volume
152, pp. 258, 1999.
[11] Douglas Stebila and Berkant Ustaoglu, Towards
denial-of-service-resilient key agreement protocols,
in Colin Boyd and J uan Nieto, editors, Proc. 14th
Australasian Conference on Information Security
and Privacy (ACISP) 2009, LNCS, volume 5594,
pp. 389, 2009.
[12] Ronald L. Rivest and Adi Shamir, Payword and
micromint: Two simple micropayment schemes, in
Security Protocols, LNCS, volume 1189, pp. 69,
1997.
[13] Timothy J . McNevin, J ung-Min Park, and Randolph
Marchany .pTCP: A client puzzle protocol for
defending against resource exhaustion denial of
service attacks, Technical Report TR-ECE-04-10,
Department of Electrical and Computer
Engineering, Virginia Tech, October 2004.